2 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/changeset/b5bda7a5c345/ changeset: b5bda7a5c345 user: natefoo date: 2012-10-05 21:49:26 summary: Fix the Compute tool to only allow for execution of a limited set of expressions. affected #: 1 file diff -r e8fc8e57dadc8a1254d994e4e05f40271d7e856b -r b5bda7a5c34535ada63722941f2a2d62524b1faa tools/stats/column_maker.py --- a/tools/stats/column_maker.py +++ b/tools/stats/column_maker.py @@ -46,6 +46,12 @@ for key, value in mapped_str.items(): expr = expr.replace( key, value ) +builtin_and_math_functions = 'abs|all|any|bin|chr|cmp|complex|divmod|float|hex|int|len|long|max|min|oct|ord|pow|range|reversed|round|sorted|str|sum|type|unichr|unicode|log|exp|sqrt|ceil|floor' +string_and_list_methods = [ name for name in dir('') + dir([]) if not name.startswith('_') ] +whitelist = "^([c0-9\+\-\*\/\(\)\.\'\"><=,: ]|%s|%s)*$" % (builtin_and_math_functions, '|'.join(string_and_list_methods)) +if not re.compile(whitelist).match(expr): + stop_err("Invalid expression") + # Prepare the column variable names and wrappers for column data types cols, type_casts = [], [] for col in range( 1, in_columns + 1 ): https://bitbucket.org/galaxy/galaxy-central/changeset/3b63335f5b1b/ changeset: 3b63335f5b1b user: natefoo date: 2012-10-05 21:52:50 summary: Merge from galaxy-dist affected #: 1 file diff -r cf93e8aa50f96e4d43d39e817d9754dc41a5886e -r 3b63335f5b1b33a2d6f74c2dfd38b85d97e9eebd tools/stats/column_maker.py --- a/tools/stats/column_maker.py +++ b/tools/stats/column_maker.py @@ -46,6 +46,12 @@ for key, value in mapped_str.items(): expr = expr.replace( key, value ) +builtin_and_math_functions = 'abs|all|any|bin|chr|cmp|complex|divmod|float|hex|int|len|long|max|min|oct|ord|pow|range|reversed|round|sorted|str|sum|type|unichr|unicode|log|exp|sqrt|ceil|floor' +string_and_list_methods = [ name for name in dir('') + dir([]) if not name.startswith('_') ] +whitelist = "^([c0-9\+\-\*\/\(\)\.\'\"><=,: ]|%s|%s)*$" % (builtin_and_math_functions, '|'.join(string_and_list_methods)) +if not re.compile(whitelist).match(expr): + stop_err("Invalid expression") + # Prepare the column variable names and wrappers for column data types cols, type_casts = [], [] for col in range( 1, in_columns + 1 ): Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.